So you have a private Bitbucket Repo and you want to utilize it in your project composer.json. You may find that when you run the composer install you get an error pulling your private Bitbucket repo with messages about Oauth failure that may include "Invalid OAuth consumer provided"

Bitbucket Authentication

Just to double check things, run your install again using the -vvv flag, and read the error messages carefully. If it still looks like an Oauth issue with your private Bitbucket repo, then this guide should help.

Bitbucket Setup

Next you need to go into Bitbucket and generate an Oauth key pair. You find this option in your Bitbucket account under: Settings | Access Management | Oauth

From this screen you will need to Add an Oauth Consumer. The important things you need to fill out are these:
- Name (I make this "Composer")
- Callback URL (This is required but not used, so I use http://www.example.com
- Check `read` for Projects and Repositories
- Check "This is a private consumer" if it is not already checked.
- Save

Getting a 400 error?

If you have an issue with the "This is a private consumer setting" as in, you forgot to check it, or you aren't sure if you did, Check your settings using the '...' menu to the far right of the line. You might have to scroll your Bitbucket window to see the edit control! You will find this type of problem by running composer -vvv install

Composer auth.json

At that point you have access to the Oauth key pair.
Now, in your user home directory, there should be a .composer directory.

In that directory open the auth.json file, or it doesn't exist, create it. In that file you need this:

It should be obvious that you need to edit this to include your Oauth Consumer Key pair you just generated in Bitbucket.

Bitbucket rights to the repo

Keep in mind that you need your Bitbucket user to have appropriate read rights to your repository. This is authenticating you to bitbucket, but your user still needs read access to the Repo if you are part of a team.

Composer credential caching note

After you've done your `composer install` successfully, you'll find that inside the .composer directory, composer creates a cache directory. In the vcs directory there will be directories created for the various vcs repositories installed. The names for these directories should make it obvious to you, as to which repositories they were generated for.

Inside this directory, the config file stores the authentication token received from bitbucket from the Oauth.

This bitbucket token expires after an hour, so you may find that you will need to clear these cached credentials upon subsequent composer installs or updates. You can do this with: